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(57) Abstract 

The invention is a system for protecting 
the security of computer files. It has hardware 
elements, including a programmable auxiliary 
memory and control unit along with associated 
software elements. The security subsystem is in- 
stalled on the host computer bus so that it resides 
in the control logic, address, and data signal path 
between the computer storage device and central 
processing unit The security system is accessible 
by the computer operating system only during in- 
stallation and initialization. Thereafter it is inac- 
cessible to or by the operating system. Supervisor 
determined criteria for access permission to read, 
write and execute files are entered into the auxil- 
iary memory system where they are protected 
from alteration. The security system will deny 
access to users with invalid entry criteria and re- 
fuse to write data to the file storage device when 
unauthorized operations have been performed. 
When breaches of these types occur the security 
system can lock the computer against further ac- 
tivity until it is released by entry of a master pas- 
sword from supervisory or security personnel. 
The system maintains a protected area in the 
computer memory device where, among other da- 
ta, file signatures of all valid files are retained. 

The protected area of memory also maintains appropriate signatures of all internal files in the security system so that they can be 
automatically checked for integrity. 
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COMPUTER FILE PROTECTION SYSTEM 

BACKGROUND OF THE INVENTION 
5 The present invention is a method for protection of computer 

files from unauthorized access and/or modification and from uninten- 
tional damage. It is particularly useful for protection of files 
against malevolent tampering and sabotage. 

A problem of serious and potentially disastrous proportions 

10 exists in the protection of computer files from unauthorized modifica- 
tion. This ranges from unauthorized but benign entry by unethical com- 
puter buffs, who regard it as a personal challenge to find ways to enter 
a system, to deliberate and criminal sabotage of stored data and soft- 
ware. Th«? extent of computer crime has grown markedly as criminal 

15 elements, now aware of the possibility for ill gotten gain or vengeance, 
and have achieved a hitherto unknown level of sophistication. Much of 
the computer crime that does occur is little publicized. This is to 
minimize its consequences and to avoid encouragement of others who might 
find it attractive. In addition to the possible enormous consequences 

20 for business, education, and general government operations, the implica- 
tions for defense could be of the nature of a major national disaster. 

An especially pernicious form of file modification is known as 
a "virus". The analog to a biological virus is readily apparent. A 
computer virus is designed to attach itself to a program already on the 

25 computer. The result is a program that is "infected". This usually 
occurs in a manner that, at least initially, is unapparent to the legit- 
imate user. The infected target files are usually unchanged until some 
predefined event or events take place. At this time the virus embedded 
in the infected files activates. The action taken when the virus is 

30 triggered may range from a harmless message flashed throughout the sys- 
tem to the complete destruction of all files in the infected system. A 
virus must, by definition, modify a file stored in the system in order 
to propagate itself. A virus recently propagated within three days 
throughout a nationwide computer network and caused damage in excess of 

35 $io million. 
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Other forms of computer file vandalism are known within the 
computer profession as "worms", Trojan hors s", and "bombs". All such 
programs modify the file system in some manner in order to perform their 
intended function. While the above terms have specific meaning to com- 
5 puter scientists, for the sake of convenience they will all be classi- 
fied here aa "viruses" since their operation, intent and methods of 
prevention are in most ways very similar. 

Computer files are also subject to innocent errors resulting 
from accidental and unintended mistakes. Within a given environment the 
10 effect may be as damaging as a virus. However, such errors generally do 
not spread to other computers. A particularly vulnerable environment is 
one in which software development is in progress. Generally there is no 
mechanism for protecting files on a computer system from damage by 
errant programs. Valuable files can easily be destroyed requiring many 
15 hours, days or weeks for reconstruction. 

Another source of innocent error is accidental erasure or 
modification of files. This can result from a simple mistake on the 
part of the operator and may or may not be salvageable. Most of the 
commonly used operating systems for individual or networked computers 
20 allow files to be erased or modified with simple commands that do not 
prompt or question the user before proceeding. 

Computer security has itself become a recognized specialty 
within the profession. The most common method of minimizing problems 
from intrusive sabotage is to incorporate software in the computer sys- 
25 tern that cheeks for known types of viruses and/or periodically checks 
the integrity of the files in the system. There are a number of varia- 
tions on the software approach to protection. One method of checking 
file integrity is to perform a test of each file which results in a 
unique "signature" for the file. This method is reasonably robust but 
30 it is somewhat time consuming. Most often, the signature is generated 
• using a Cyclic Redundancy Code (CRC) algorithm. This test does nothing 
to cure a file which might have become infected but it does identify 
files which have been infected since they were last tested. To be truly 
effective the test should be run each time a file is accessed. However, 
35 in most cases this would impose such a large overhead as to make the 
system non-productive. 
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A second method is to incorporate a software program which 
checks- each file as it is used for a set of known types of infection* 
Several problems exist with this approach. First, a number of viruses 
are self-modifying. By that is meant that they, change their character- 
5 istics specifically in order to thwart this kind of protection. Second, 
new viruses unknown to the protection program may be introduced into the 
file system and these will not be recognized. A third problem is that 
of overhead. It may be so great as to significantly reduce the useful- 
ness of the system. 

10 Another method provides a hardware module which can be pro- 

grammed to write protect the entire file system. This method is clearly 
foolproof but poses such cumbersome limitations that it has only limited 
usefulness. Most business or scientific applications and virtually all 
program development environments require the ability to modify files. 

15 As one example, the files in a database application are usually continu- 
ally updated by new additions and deletions. The hardware write protect 
approach appears to have merit only in those unusual instances where an 
application does not require the file system to be modified. If soft- 
ware support is used to determine when a file can be modified, it is 

20 susceptible to the same problems and disadvantages of the other software 
approaches. 

A fourth method uses passwords and other user specific secur- 
ity protection to limit access to the file system. This is desirable 
and should be common practice in most computer networks. But it does 

25 not prevent the problem of virus entry. One of the most destructive 
viruses reported to date infected over 5000 computers, all of which had 
a password and user permission-based file system. The most common use 
of this type of protection is found on computers based on the UNIX 
operating system. Unix is a trademark of AT&T Information Systems, 

30 New York, New York, for a linked multi-workstation computer system. 
In regard to accidental file erasure, a number of products are available 
with an "unerase" feature. These take advantage of the way most files 
are removed from a directory by the operating system. The operating 
system simply indicates that the storage space of the deleted file is 

35 now available for n w files, without actually physically erasing the 
earlier material. The unerase software restores the deleted file name 
back into the dir ctory. However, it can function successfully only if 
the storage space occupied by the deleted file has not been overwritten. 
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The process ,of attempting to recover an accidentally erased file is time 
consuming and can sometimes result in a corrupt d file even under the 
best of circumstances. 

Finally* any software based system of virus protection has an 
5 inherent flaw that can itself be fatal. The very software that is 
intended to protect against infection can itself be the source of a 
virus. This very problem recently occurred with a suite of commercial 
programs, touted as the ultimate in anti-virus protection. The case in 
point was apparent sabotage by a disgruntled employee of the software 
10 firm marketing the protection system. An untold number of infections 
occurred and the manufacturer now faces an enormous liability for damage 
caused by his product. 1 

Any security system, intended to provide protection for file 
systems, which is accessible to the general user through standard system 
15 resources can potentially be breached. Whether software based or hard- 
ware based, if the protection system can be accessed via normal system 
resources, then it can be bypassed or, even worse, used to camouflage a 
virus. A user who thinks the file system is protected is often compla- 
cent and less alert to the possibility of an infection. This often 
20 leads to a virus doing extensive damage before it is even noticed. 

Cognizant of the above noted shortcomings in existing file 
security systems, the present invention represents a major improvement 
that greatly reduces and tightly controls the number of potential access 
points for virus entry without compromising convenience and utility for 
25 the general user. 

SUMMARY OF THE INVENTION 

The present computer file security system has both hardware 
; and software elements. Unlike any other system known to the present 
3Q inventor, once installed, the protective elements of the system are 
completely inaccessible to the general user. The system provides essen- 
tially absolute protection against inappropriate modification of all 
designated files held within the computer memory device. 
, The file system protection process operates by intercepting 

35 the file system data path between the central processing unit and the 
file storage or memory device. The requested operation is processed 
according to the criteria established by the supervisory and/or security 
personnel of *he computer system. An elaborate and virtually unbreak- 
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able system of access eliminates any chanc of file corruption by a 
general- user. 

The security subsystem is accessible by the computer operating 
system for initialization and modification only during an installation 
5 stage. After that time the security subsystem is inaccessible to or by 
the operating system. 

Each time the security subsystem sends an error message to a 
user it is checked for file integrity. At this time it takes possession 
of and disables all other access to the computer central processing 
10 unit. 

In general, the hardware elements of the system are integrated 
with a controller for mass storage of the file system, although this is 
not always necessary. The process can be just as easily incorporated 
into a local network (LAN) controller, a communications controller, or a 

15 main processor board for a system. In its broadest form, the present 
file security system could be applied to a wide variety of situations 
where access to critical data must be controlled. 

The invention includes a programmable auxiliary memory and 
auxiliary control unit. These can be attached to the host computer bus 

20 in a manner so that they are in the control logic, address, and data 
signal path between the central processing unit and the file storage 
system. However, once installed in the computer system, the file secur- 
ity system is inaccessible to or by the host computer operating system. 
Access to the file security system is possible only by using a unique 

25 password held by the appropriate supervisory and/or security personnel. 
Access may be established on a hierarchical basis so that for some 
designated operations more than one individual must enter passwords in 
proper sequence* 

The supervisory personnel will choose and enter the appropri- 
30 ate criteria for access permission to read, write, and execute opera- 
tions for all files to be protected. These criteria will be specific to 
each user or user group. The file security system can be programmed for 
graduated levels of security and lockout for various types of users. 

Upon receiving valid user identification, the auxiliary memory 
35 and control unit will indicate to the host computer operating system 
which files are accessible to that user and the nature of the operations 
that can be performed on the files. Similarly, users with invalid entry 
criteria for the files requested will be denied entry and the file 
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security system will refuse to allow data to be written into the host 
computer file system when unauthorized operations have been performed. 

In many linked computer systems each computer central proces- 
sing unit has its own associated file system. Usually, the file systems 
5 of every individual computer in a linked system are electronically 
available to every other computer in the system. Most preferably, the 
file security system of the present invention should be used to protect 
each file system in a given linked computer system. This would require 
associating a security system with each file storage device in the 
10 system. However, it is quite possible to protect some of the computers 
in the system while leaving others unprotected. Some linked systems are 
constructed with a central file storage device, or file server, which is 
tied to a number of different computers, each having its own central 
processing unit. In this case a single file security system is adequate 
15 to protect the entire network. The file security system of the present 
invention is equally suitable for use on a single terminal computer. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 Is a simplified block diagram of a hardware card show- 
20 ing one implementation of the present invention. 

FIG. 2 is an index to the symbols used in the following 

process, flow diagrams. 

FIGS. 3-6 are process flow diagrams showing the basic logic of 

the file security system. 
25 FIGS. 7-18 are subprocesses associated with the basic process 

logic. 

FIG. 19 shows a subprocess used within the various other 
subprocesses. 

FIGS. 20 and 21 show direct memory access read and write 
30 subprocesses used within the various other subprocesses. 
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DET AILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Most of the terms and abbreviations used herein are in common 
use and well understood by those skilled in computer sci nee. However, 
the following definitions will unequivocally set. their context for the 
5 present invention. 

ADR, ADDR address 



ATRIB attribute 

AUTH authorized 

BIOS basic input/output system 

10 BLD build 

BPB Bios parameter block 

BUS bus (command, address, or data) 

BZY busy 

CHG change 

15 CHK check 

CMD command 

CNT count 

CNTRL control 

CNTX number of increments successfully transferred 

20 CPU central processing unit 

CRC cyclic redundancy check 

CRTL control 

DAT data 

DEV device 

25 DMA direct memory access 

DP AC data packet 

DSTR 32 bit starting logical sector 

ERR error 

ERRS errors 

30 FLG flag 

FRE free 

FSS file security system 

GEN generic 

GET get 

35 HD head 

HDR header 

IBM-PC a personal computer manufactured by International 
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ID v identity or identification 

ILL illegal 

INIT initialize 

IOCTL input/output control 

LBL label 

LOG logical 

MAJ major 

MEM memory 

MS-DOS Microsoft Disk Operating System 

MTY empty 

NUM number 

PAC packet 

PARM parameter 

PC-DOS IBM Personal Computer Disk Operating System 

PHYS physical 

PREV previous 
PTR pointer 
QUE queue 
tr RD * read 
RH request header (from MS-DOS) 

RMV remove, removable 

SECT sector 
SEEK seek 
SET set 
STAT status 
STR starting 
SYS system 
TBL table 
TRK track 
TYP type 

TSR terminate and stay resident 

USR user 

VFY verify 

VOL volume 

WR write 

XADR transfer address 

XCNT number of increments requested to be transferred 

XFR transfer 
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XSS starting section for transfer 

The term "bus" or "host computer bus" refers to the electronic 
paths within the host computer that carry address, control, and data 
signals. The "address bus" is a collection of electronically continuous 
5 lines used to provide a unique location for access to a system resource 
such as memory or input/output devices* The "data bus" is a similar 
collection of lines used to pass information between locations deter- 
mined by the address bus. The "control bus" is a similar collection of 
electronically continuous lines used to define the kind of operation to 

10 be performed on a system resource. As an example, the "memory read 
line" (MEMR) of the IBM-PC control bus specifies that the operation to 
be performed is to read the contents of memory at the location specified 
by the addre s bus and place that information on the data bus. While a 
bus is most usually regarded in terms of electrical conductors, it 

15 should be considered more broadly in terms of the present invention. As 
used herein the term "bus" should be considered to also include any 
alternate means of data interface with the CPU of the computer system 
that would serve the same purpose as conventional electrical conductors. 
A fiber optic system could be one such alternative. In its broadest 

20 context a "bus" is any means or method that carries information between 
the computer system and any peripheral devices and which provides con- 
trol and data to a file storage device. It does not matter whether the 
device is internal or external to the computer itself. 

A "device" is any physical piece of equipment integral with 

25 the computer system, such as a mass storage unit, printer, console, etc. 
In terms of internal communication within the computer a "device" is 
treated or considered in the same manner as a file would be* A "logical 
device" is a method of mapping a physical device to hide its real char- 
acteristics from the operating system. Although multiple physical 

30 devices could be mapped to a single logical device, a more common 
approach is to map a single physical device to multiple logical devices; 
e.g., a single 64 megabyte hard disk can be mapped to two 32 megabyte 
logical devices. 

"Direct memory access" (DMA) is used to move data between 
35 memory and a device by taking control of the address bus, data bus and 
control bus. The CPU is disabled during the DMA cycle. 

A "logical sector address" enables the use of logical addres- 
sing by operating systems to access mass storage devices and hides the 
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physical characteristics of the device. Logical addressing provid s 
significant improvements in device indep ndence of the operating system. 
The conversion of logical address to physical address is device 
dependent. 

5 "Parameters" when used with a process are data passed to the 

process. When referring to a device they are the constants that define 
the device; e^ the number of heads, sectors per track, etc. 

A "pointer" is an "object" or variable used to hold the 
address of another object; i.e., it "points" to the other object. The 
10 context of the term "object" is a variable used to hold an address 
within the addressable range of values of the main CPU. The pointer is 
used to indirectly store or retrieve other variables. 

"Programmed I/O" describes input or output operations which 
are controlled by the CPU. This type of I/O is generally used to write 
15 to the device control register and read from the device status register. 
Data transfers are usually handled by direct memory access. 

A "queue" is a form of temporary storage used to allow asyn- 
chronous data flow between the source and destination. A common form of 
queue is to allow data to continue to be placed in a waiting list, to 
20 avoid having the data source wait, while a slower process operates on 
„ the list. The : queue is monitored to prevent overflow. If the queue 
fills the process sourcing the data must wait until the data consumer 
has removed data. 

A "register" is a location used to hold information associated 
25 with an operation. "Device registers" hold either control information, 
status of device after operation, or data. A "control register" is a 
device register used to select the function to be performed by the 
device. A "data register" is used to hold data for transfer to and from 
the data bus under program control. 
30 A "terminate and stay resident" (TSR) program is one that 

remains in memory after initial activation. The file security system 
uses such a program to communicate with the user; e.g., "Access Not 
Authorized" or "Invalid Password". 

Before describing the present invention in detail, it could be 
35 helpful to the general reader to very briefly review the essential 
elements of a digital computer most closely related to operation of the 
invention. All computers have a central processing unit (CPU) and a 
file storage device. The latter may include a fixed or "hard" disk, one 
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or more flexible or "floppy" disks, a magnetic tape unit, or an optical 
device-such as a laser read compact disk unit. The CPU and storage 
device are joined electronically by a bus system that carries address, 
control and data signals* The electrical path ntay not always be elec- 
5 trically direct; i.e. there may be intervening operations on the sig- 
nals, but the bus maintains the main route of electronic communication 
between the two units. Other devices such as disk controllers, etc. are 
essential to operation but are peripheral to the present explanation. 

In addition to the basic electronic "hardware", the computer 

10 must have a software package known as an "operating system". This 
serves to enable and supervise the flow of signals between the various 
hardware elements of the computer, such as the CPU and file storage 
device, and between the computer and operator. The operating system is 
not an operations software program, such as a data management or spread- 

15 sheet tool would be, but it is essential to their use. 

A number of well known operating systems are available for 
computers of different types and capabilities. Two of the most popular 
products are very similar and are intended for use with personal com- 
puters. These are known as MS-DOS and PC-DOS (Microsoft Operating System 

20 and Personal Computer Operating System). MS-DOS is a registered trade- 
mark of Microsoft Corporation, Redmond, Washington and PC-DOS and IBM 
are registered trademarks of International Business Machines Corpora- 
tion, Armonk, New York. The present invention is suitable for use with 
these as well as other operating systems such as CP/M, VMS, or UNIX. 

25 CP/M is a registered trademark of Digital Research, Pacific Grove, Cali- 
fornia. VMS is a registered trademark of Digital Equipment Corporation, 
Maynard, Massachusetts. UNIX is a trademark of AT&T Information Sys- 
tems, New York, New York. This list should be considered as exemplary 
and is not inclusive of the many other operating systems suitable for 

30 use in conjunction with the present invention. 

Whatever the operating system, there is a minimum set of file 
system operations that must be available. This set must include: 

(1) A means of listing the files available on the system to a 
terminal or display; 

35 (?> A method of providing unique names and internal addresses 

for the files; 
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(3) The ability to create a new file, to write information to 
a file," to read information from a file, and to change the size of a 
file by adding or deleting information; and 

(4) The ability to remove a file from the system. 

5 To implement this minimum set of file system operations there 

is an attendant set of hardware and software functions. While these 
functions vary in complexity and capability the following is a represen- 
tative rainimuiBH set* 

(1) A means of storing files. Usually this is a mass storage 
10 device such as a fixed disk or one of the other types previously noted. 

The file system must be capable of handling files in a manner consistent 
with the requirements of the operating system. 

(2) A method of formatting the storage medium to meet the 
needs of the file system. The format generally involves sectioning the 

15 storage medium in such a way that the translation between a logical 
location and ^ physical location is minimized. The operating system 
deals with logical addresses of information while the actual storage 
^device operates on physical addresses. 

(3) ^A means of passing commands to the storage subsystem. 
20 This typically is a Hardware card that interfaces the addresses and data 

from the system bus to the storage subsystem hardware. 

(4) A means of implementing commands to (a.) position or index 
the storage media to a known starting position, (b.) read from a spe- 
cific location on the medium and make the information available to the 

25 system bus, and (c.) write information from the system bus to a specific 
location on the medium. In the latter two cases the information is 
moved directly into and from the system read/write memory by a mechanism 
known as direct memory access (DMA). 

The file security subsystem may be likened to a gate and gate 

30 tender on the pathway linking the CPU and file storage subsystem. Only 
information that meets a set of predefined criteria is allowed to pass. 
Once placed in position, the gate is impregnable to any changes in the 
criteria that an unauthorized person might attempt to be made via the 
operating system. Changes can only be made by an appropriate security 

35 director having the master access password. 

This location in a computer is unique for a file security 
system. The only other subsystem placed astride the main bus in similar 
fashion is an encryption/unencryption device. It is emphasized here 
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that the file security subsystem in not, nor is it in any way analogous, 
to an encryption device. It may include an encryption device but this 
would be entirely ancillary to its main function and operation* 

Because they are so well known and in such common use, the 
5 description of the invention that is to follow will be based on the use 
of the PC-DOS or MS-DOS operating systems used with IBM or IBM-type 
personal computer equipment. However, it should be understood that this 
is done for the sake of convenience and simplicity of description and 
the invention should not be considered as limited to these or any other 

10 operating systems or computer equipment. 

The file security subsystem has a cache memory system attached 
to the host computer main bus. This provides the elasticity needed to 
minimize delays associated with the parsing of information by the pro- 
tection process. While a specific bus transaction is being evaluated, 

15 additional transactions are queued up for subsequent processing. 

During installation of the file security subsystem (FSS), a 
set of file access criteria are entered and stored in nonvolatile memory 
in the FSS and also written to a portion of the host computer file stor- 
age device which is subsequently marked as inaccessible to the operating 

20 system. These criteria are used by the protection process to determine 
the type of access authorized on a specific system. After installation 
the file security system is accessible only by use of a master password 
that will presumably be known only by an appropriate security dir ctor 
or system administrator. 

25 The file access criteria will include the names of files which 

are to be protected at all times. These will generally be the basic 
executable files that constitute the application for which the system is 
intended, as well as any utility and system files used by or in support 
of the application. The access criteria will also contain the names of 

30 files that are allowed to modify specified files along with the type 
name of the specific Hies which may be modified. 

Other access criteria are relatively conventional. The user 
may be required to enter a login code which can be associated with a 
specific directory, group of files, or both. The login code can then be 

35 used as a test for a password; i.e., if the password given is not auth- 
orized for the login group entered, the user will be denied access, even 
if the password is otherwise valid. This, in effect, provides a double 
password system. 
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.Operation of the File Security System 
- During startup, the file security system will check the files 
associated with the operating system for consistency. This is done by 
comparing the file signatures of the active filesr with those held in an 
archival status in a portion of memory within the file storage device 
that is inaccessible to the operating system. The same check can be 
made for any change in file signature of all executable files. As was 
noted earlier, a unique signature for each file can be generated; e.g., 
by using a cyclic redundancy code algorithm. If any inconsistency is 
found during startup, the file system storage device is write protected 
by the file security system and the user notified. The file which 
caused the warning is identified and the system is effectively locked 
until corrective action is taken. This might include removal and 
replacement of the affected file or an override by the system adrainis- 
15 trator who must use the master password. If the decision is made to 
override, the file signature can be updated so that the next startup 
will accept the modified file. 

Programs run by the user are consistency checked as they are 
loaded into the system memory for execution. As in the startup phase 
above* any corruption of a file will result in disabling the write 
circuitry, user notification, and system lockup pending supervisory 
action. 

The file security system will detect any attempt to install 
new files on the system via the disc drives, serial interface, supported 
local area networks, or by any executable file. This applies even if 
the new file is generated on the workstation itself. 

The system administrator has a great deal of flexibility in 
setting security levels. Certain features can be disabled or expanded 
at the discretion of the administrator. 

An optional feature of the file protection system is creation 
of a transaction log recorded in the protected portion of the file 
storage device. This can include such items as attempted entries to the 
system, entries attempted using bad login codes or passwords, terminal 
locations, time and date, etc. The transaction log is accessible only 
35 to supervisory people possessing the master password to the file secur- 
ity system. 
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It can be seen from the above description that by placing the 
file security system in the data path between the CPU and storage 
device, and by making it invisibl to the operating system, the computer 
file system is protected against deliberate tampering from either local 
5 sources or those at other linked locations. Corrupted files are refused 
entry by write protecting the storage device. Even in the event that 
such files should somehow find entry, they are detected and identified 
and the system is locked before the corrupted files can do the intended 
damage. This protection is equally important in guarding the system 
10 from damage by benign errors that frequently occur during program devel- 
opment. 

A very important part of the file security system is its 
terminate and stay resident (TSR) program. In the event of entry being 
denied to the system for some reason, or an unauthorized operation being 

15 performed, the TSR program will send an error message to the user. 
However, before each use the TSR program is itself checked for file 
integrity. During the time the TSR program is active it takes posses- 
sion of and disables all other access to the CPU . Further the TSR 
program directly accesses the keyboard, bypassing all system software. 

20 Specific operation of the file security system hardware and 

software can best be understood by now referring to the Figures. FIG. 1 
is a simplified block diagram showing one version of a hardware imple- 
mentation. Given this diagram, the specific construction of the unit 
will be evident to one skilled in computer science. 

25 FIG. 2 is a symbol legend to the process logic diagrams shown 

in FIGS. 3-21. Reference to these diagrams will convey a full best 
present mode disclosure to one skilled in the art. A step-by-step 
verbal description is not only not necessary but would be redundant. 

The basic outline of the process logic is shown in FIGS. 3-6. 

30 FIG. 6 ties by the various offpage connector symbols to subprocesses 
shown in FIGS. 7-18. FIG. 19 is a subprocess used within the various 
other subprocesses. FIGS. 20 and 21 show direct memory access subpro- 
cesses also used in the various other subprocesses. 

Having thus disclosed the best mode known by the inventor of 

35 making and using his invention, it will be evident to those skilled in 
the art that many variations are possible without departing from the 
spirit of the invention. The invention should be considered as being 
limited only as it is described in the appended claims. 
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CLAIMS: 

- 1. In a computer file protection method for a host digital 
computer, said computer having a file storage device and a central 
processing unit connected electronically by a bus carrying control 

5 logic, address, and data signals, said computer further being supplied 
with operating system software, the improvement which comprises: 

providing a file security subsystem for said digital computer, 
said security subsystem further comprising a programmable auxiliary 
memory and control unit attachable to the host computer bus in a manner 

10 so that it resides in said control logic, address, and data signal path 
between said storage device and central processing unit, said security 
subsystem being accessible by the computer operating system for initial- 
ization and modification only during an installation stage of the secur- 
ity subsystem but following said installation stage, during computer 

15 system operation, the security subsystem is inaccessible to or by the 

operating system, 

the auxiliary memory system being adapted for receiving and 
retaining supervisor entered criteria for access permission for read, 
write and execute operations for all files to be protected, 

20 so that upon receiving valid user identification the auxili- 

ary memory and control unit will indicate to the host computer operating 
system which files are accessible to that user and what operations may 
be performed upon said files, said auxiliary control unit denying entry 
to users with invalid entry criteria and refusing to ' write data to the 

25 file storage device when unauthorized operations have been performed. 

2. The computer file protection method of claim 1 which fur- 

' ther includes the internal capability of self checking its associated 
file integrity. 

30 

3. A computer file protection method which comprises: 

? providing a host digital computer, said computer having a file 
storage device and a central processing unit connected electronically by 
a bus carrying control logic, address and data signals; 
35 supplying operating system software for said computer; 
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further providing a file security subsystem for said digital 
computer, said security subsystem further comprising a programmable 
auxiliary memory and control unit attachable to the host computer bus in 
a manner so that it resides in said control logic, address, and data 
5 signal path between said storage device and central processing unit, 
said security subsystem being accessible by the computer operating 
system for initialization and modification only during an installation 
stage of the security subsystem but following said installation stage, 
during computer system operation, the security subsystem is inaccessible 
10 to or by the operating system, 

the auxiliary memory system being adapted for receiving and 
retaining supervisor entered criteria for access permission for read, 
write and execute operations for all files to be protected, 

so that upon receiving valid user identification the auxili- 
15 ary memory and control unit will indicate to the host computer operating 
system which files are accessible to that user and what operations may 
be performed upon said files, said auxiliary control unit denying ntry 
to users with invalid entry criteria and refusing to write data to the 
file storage device when unauthorized operations have been performed. 

20 

4. The file protection method of claim 3 wherein the file 
security subsystem after installation is accessible from the host compu- 
ter only by entry of a proper master password. 

25 5. The file protection method of claim 3 wherein the file 

security subsystem during installation creates a protected area within 
the file storage device inaccessible to the operating system but acces- 
sible to the security subsystem* 

30 6. The file protection method of claim 5 including determining 

a unique file signature for all pertinent files within the system, said 
signatures being retained for archival reference in the protected stor- 
age area, comparing the archival signatures with the current signatures 
of user requested files prior to permitting user access to the files, 

35 and write protecting the storage device if file signatures do not cor- 
respond. 
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7. The file protection method of claim 5 including checking 
the file; signature of files load d into the central processing unit for 
execution, comparing said file signatures with archival signatures held 
within the protected storage area, and write protecting the file storage 

5 device if file signatures do not correspond. 

8. The file protection method of claim 6 which further 
includes locking the computer system from further activity when said 
file signatures do not correspond, said computer system remaining dis- 

10 abled until unlocked by a person with access to a master password. 

9. The file protection method of claim 7 which further 
includes locking the computer system from further activity when said 
file signatures do not correspond, said computer system remaining dis- 

15 abled until unlocked by a person with access to a master password. 

10. The file protection method of claim 3 which further 
includes taking possession of the host computer central processing unit 
by the file security subsystem and disabling all other access to said 
central processing unit at such time as the security system detects 
invalid entry criteria or an unauthorized operation. 

11. The file protection method of claim 3 which further 
includes checking file signatures of the internally stored parameters in 
the file security system for integrity prior to notifying a user that 
entry has been denied or an unauthorized operation has been attempted. 



20 



25 



12. The file protection method of claim 3 which further 
includes checking the file access criteria for consistency from archival 

30 file signatures held within the protected storage area. 

13. The file protection method of claim 3 which further 
includes creating a transaction log in the protected storage area, said 
transaction log being accessible only to a person having a master 

35 password. 



14. The file protection method of claim 3 in which said sa 
supervisor entered criteria are specific for each user or user group. 
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